Cooperation between applets and servlets
Applets Applets runs on the clientsside, the servlet on
the server side Suitable for presentations and logic that belongs
on the client, for example:Advanced graphics or animationSpecial GUI controls (eg. WYSIWYG editor)
Problem: how does applets and servlets communicate
Constraints Applets runs in a sandbox,therefore limitations. Can only contact the network resource from
which the applet originated. The applet can therefore only retreive
information from its ”home”.
Technique 1: control the applet from the server
Technique : configurable applet
<html> <head> <title>Drawing applet examplel</title> </head>
<body> <applet width="300"
height="200" code=”drawing.class"> <param name=”drawing" value="0-255-255-255-0-0; 5-0-0-300-200-0; 0-255-0-0-0-0;
1-18-18-188-288-0; 1-20-10-400-10-0; 5-45-29-22-23-3;frode; 4-200-30-0-0-my name is frode"> </applet> </body></html>
The Appletimport java.util.*;import java.awt.*;import java.applet.*;
public class drawing extends Applet { String drawing; public void init() { // retreive drawing parameters from the server drawing = getParameter(”drawing"); } public void paint(Graphics g) { parseTegning(g); }
public void parseDrawing(Graphics g) { // retreive all commands StringTokenizer commands = new StringTokenizer(drawing,";"); while (commands.hasMoreElements()) { try { int op, arg1, arg2, arg3 = 0, arg4 = 0; String arg5 = ""; String fullcommand = commands.nextToken(); // tokenize the command StringTokenizer parts = new StringTokenizer(fullcommand,"-"); op = Integer.parseInt(parts.nextToken()); arg1 = Integer.parseInt(parts.nextToken()); arg2 = Integer.parseInt(parts.nextToken()); arg3 = Integer.parseInt(parts.nextToken()); arg4 = Integer.parseInt(parts.nextToken()); arg5 = parts.nextToken(); draw(g,op,arg1,arg2,arg3,arg4,arg5); } catch (Exception e) { // Syntax errors that occur in command input are ignored in this example } } }
public void draw(Graphics g,int op,int a1, int a2,int a3,int a4,String a5) { switch (op) { case 0: g.setColor(new Color(a1,a2,a3)); break; case 1: g.drawLine(a1,a2,a3,a4); break; case 2: g.drawOval(a1,a2,a3,a4); break; case 3: g.drawRect(a1,a2,a3,a4); break; case 4: g.drawString(a5,a1,a2); break; case 5: g.fillRect(a1,a2,a3,a4); break; case 6: g.fillOval(a1,a2,a3,a4); break; } }
Technique 2: the applet contact the server
Functionality: user clicksAnd the text follows
<html> <head> <title>Drawing applet example</title> </head>
<body> <applet width="300"
height="200" code="dynamicdrawing.class"> <param name=”source" value="/drawing.jsp"> </applet> </body></html>
drawing.jsp
<% response.setHeader(”drawing", "1-10-10-100-100-0;1-100-10-20-200-0;4-"
+request.getParameter("x")+"-"+request.getParameter("y") +"-0-0-Hi here I am");%>
public void init() { kilde = getParameter(”source"); contactServer(-1,-1); addMouseListener(this); }
public void contactServer(int x,int y) { try { URL server = new URL(getCodeBase().getProtocol(), getCodeBase().getHost(), getCodeBase().getPort(), source+"?x="+x+"&y="+y); URLConnection connection = tjener.openConnection(); connection.setUseCaches(false); drawing = connection.getHeaderField(”drawing"); } catch (Exception e) { } Runtime.getRuntime().gc(); } public void mouseClicked(MouseEvent h) { contactServer(h.getX(),h.getY()); repaint(); }}
Filtering og filters
client
ServletJSP-page
filter
filter
filter
filter
request
response
Application areas Catch requests and inspect contect and http-
headers Catch and modify requests before they reach the
actual resource (servlet or jsp-page) Catch responses from resource and inspect
content and http-headers Catch and modify responses from resources
Examples Compression filters Encryption filters Image conversion filters Log and account filters Security and autentication filters XSLT transformation filters
Example 1:Catch and block requests
package filter;import javax.servlet.*;import javax.servlet.http.*;import java.io.*;public class IEfilter implements Filter { private FilterConfig filterConfig;
public void setFilterConfig(final FilterConfig filterConfig) { this.filterConfig = filterConfig; } public void doFilter(final ServletRequest request, final ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse res = (HttpServletResponse)response; String browser = req.getHeader( "User-Agent" ); System.out.println(”Before if check "+browser); if ( nettleser.indexOf("IE") == -1 ) { request.setAttribute("filtercheck", ”Approved by frode's filter"); chain.doFilter(request, response); } svar.sendError(res.SC_FORBIDDEN); } public void init(FilterConfig c) { this.filterConfig = c; } public void destroy() { this.filterConfig = null; } }
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app> <filter> <filter-name>MSblocker</filter-name> <filter-class>filter.IEfilter</filter-class> </filter>
<filter-mapping> <filter-name>MSblocker</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping></web-app>
Example 2:Filter chaining – avoid html injection
Modifying request
<h1> <hi>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app><filter>
<filter-name>ltFilter</filter-name> <filter-class>filter.SensureFilterConfig</filter-class> <init-param>
<param-name>find</param-name> <param-value><![CDATA[<]]></param-value>
</init-param><init-param>
<param-name>replace</param-name> <param-value>&lt;</param-value>
</init-param></filter>
<filter> <filter-name>gtFilter</filter-name> <filter-class>filter.SensureFilterConfig</filter-class> <init-param>
<param-name>find</param-name> <param-value><![CDATA[>]]></param-value>
</init-param><init-param>
<param-name>replace</param-name> <param-value><![CDATA[>]]></param-value>
</init-param></filter>
<filter> <filter-name>ampFilter</filter-name> <filter-class>filter.SensureFilterConfig</filter-class> <init-param>
<param-name>find</param-name> <param-value><![CDATA[&]]></param-value>
</init-param><init-param>
<param-name>replace</param-name> <param-value><![CDATA[&]]></param-value>
</init-param></filter>
<filter> <filter-name>quotFilter</filter-name> <filter-class>filter.SensureFilterConfig</filter-class> <init-param>
<param-name>find</param-name> <param-value><![CDATA["]]></param-value>
</init-param><init-param>
<param-name>replace</param-name> <param-value><![CDATA["]]></param-value>
</init-param></filter>
<filter-mapping> <filter-name>ampFilter</filter-name> <url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping> <filter-name>ltFilter</filter-name> <url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping> <filter-name>gtFilter</filter-name> <url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping> <filter-name>quotFilter</filter-name> <url-pattern>*.jsp</url-pattern>
</filter-mapping></web-app>
The Filter
package filter;import javax.servlet.*;import javax.servlet.http.*;import java.io.*;import java.util.*;import filter.SensureWrapperConfig;
public class SensureFilterConfig implements Filter { private FilterConfig filterConfig; private String find, replace;
public void setFilterConfig(final FilterConfig filterConfig) { this.filterConfig = filterConfig; }
public void doFilter(final ServletRequest request, final ServletResponse response, FilterChain chain) throws IOException, ServletException { SensureWrapperConfig req = new SensureWrapperConfig((HttpServletRequest)request, find, replace); chain.doFilter(req,response); } public void init(FilterConfig c) { this.filterConfig = c; find = filterConfig.getInitParameter("find"); replace = filterConfig.getInitParameter(”replace"); } public void destroy() { this.filterConfig = null; } }
We need a wrapper Because a request cannot be modified once it is
created – (read only)
package filter;import javax.servlet.*;import javax.servlet.http.*;import java.io.*;import java.util.*;
// This class is reading and mofifying the parameter list
public class SensureWrapperConfig extends HttpServletRequestWrapper { private String find, replace; public SensureWrapperConfig(HttpServletRequest req) { super(spørsmål); } public SensureWrapperConfig(HttpServletRequest req, String find, String replace) { super(req); this.find = find; this.replace = replace; } public String getParameter(String param) { String value = super.getParameter(param); value = value.replaceAll(find,replace); return value; } }
Example 3:Modify the response
<body> <head> <link rel="stylesheet" href="style.css" type="text/css"/> </head> <body>
<web-app><filter>
<filter-name>postFilter</filter-name> <filter-class>filter.BodyFilter</filter-class> <init-param>
<param-name>find</param-name> <param-value><![CDATA[<body>]]></param-value>
</init-param><init-param>
<param-name>replace</param-name> <param-value><![CDATA[ <head> <link rel="stylesheet" href="style.css" type="text/css"/> </head>
<body>]]></param-value>
</init-param></filter>
<filter-mapping> <filter-name>postFilter</filter-name> <url-pattern>*.jsp</url-pattern>
</filter-mapping></web-app>
The Filter
import filter.BodyWrapper;
public class BodyFilter implements Filter { private FilterConfig filterConfig; private String find, replace;
public void setFilterConfig(final FilterConfig filterConfig) { this.filterConfig = filterConfig; }
public void doFilter(final ServletRequest request, final ServletResponse response, FilterChain chain) throws IOException, ServletException { OutputStream out = response.getOutputStream(); KroppsWrapper res = new KroppsWrapper((HttpServletResponse)response); chain.doFilter(request, res); String body = new String(svar.getData()); body = body.replaceAll(find,replace); out.write(body.getBytes()); out.close(); } public void init(FilterConfig c) { this.filterConfig = c; find = filterConfig.getInitParameter("find"); replace = filterConfig.getInitParameter(”replace"); } public void destroy() { this.filterConfig = null; } }
The Wrapper
package filter;import javax.servlet.*;import java.io.*;
public class BodyStream extends ServletOutputStream { private DataOutputStream stream; public BodyStream(OutputStream output) { stream = new DataOutputStream(output); }
public void write(int b) throws IOException { stream.write(b); }
public void write(byte[] b) throws IOException { stream.write(b); }
public void write(byte[] b, int off, int len) throws IOException { stream.write(b, off, len); } }
package filter;
import javax.servlet.*;import javax.servlet.http.*;import java.io.*;import filter.BodyStream;
public class BodyWrapper extends HttpServletResponseWrapper { private ByteArrayOutputStream output; private int contentLength; private String contentType;
private FilterConfig filterConfig; private String find, replace; public KroppsWrapper(HttpServletResponse res) { super(res); output = new ByteArrayOutputStream(); }
public byte[] getData() { return output.toByteArray(); }
public ServletOutputStream getOutputStream() { return new KroppsStream(output); }
Part 1
public void setContentLength(int length) { this.contentLength = length; super.setContentLength(length); }
public int getContentLength() { return contentLength; }
public void setContentType(String type) { this.contentType = type; super.setContentType(type); }
public String getContentType() { return contentType; }
public PrintWriter getWriter() { return new PrintWriter(getOutputStream(), true); } }
Part 2
Have a nice weekend
Top Related